package org.example.javax.security.kerberos.demo1;

import java.io.File;
import java.io.IOException;
import java.security.PrivilegedAction;
import java.util.Set;

import javax.security.auth.Subject;
import javax.security.auth.callback.*;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.kerberos.KerberosTicket;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;

/*
* klist -kt test1.keytab test1
*/
public class KerberosClient {
    final Subject subject = new Subject();

    public static void main(String[] args) {
        new KerberosClient().run();
    }

    public void run() {
        Krb5Configuration conf = new Krb5Configuration();
        try {
            String sep = File.separator;
            System.out.println("KerberosClient.main():" + System.getProperty("java.home") + sep + "lib" + sep
                    + "security" + sep + "java.security");
            //自己录入密码
//            LoginContext context = new LoginContext("test", subject, new CallbackHandler() {
//                @Override
//                public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
//                    for (int i = 0; i < callbacks.length; i++) {
//                        if (callbacks[i] instanceof NameCallback) {
//                            NameCallback nc = (NameCallback) callbacks[i];
//                            nc.setName("test1");
//                        } else if (callbacks[i] instanceof PasswordCallback) {
//                            PasswordCallback pc = (PasswordCallback) callbacks[i];
//                            pc.setPassword("test1".toCharArray());
//                        } else {
//                            throw new UnsupportedCallbackException(
//                                    callbacks[i], "Unrecognized Callback");
//                        }
//                    }
//                }
//            }, conf);

            // useTicketCache
            LoginContext context = new LoginContext("test1", subject, null, conf);
            context.login();
            System.out.println(subject);
            System.out.println(Subject.doAs(subject, new PrivilegedAction<Object>() {
                @Override
                public Object run() {
                    System.out.println("do some thing must have permission1");
                    getTGT();
                    System.out.println(subject.getPrincipals());
                    return 1;
                }
            }));


            try {
                Thread.sleep(1000);
            } catch (InterruptedException ignore) {
            }
            System.out.println(Subject.doAs(subject, new PrivilegedAction<Object>() {
                @Override
                public Object run() {
                    System.out.println("do some thing else must have permission2");
                    System.out.println(subject.getPrincipals());
                    getTGT();
                    return 2;
                }
            }));
            context.logout();
        } catch (LoginException e) {
            e.printStackTrace();
        }
    }

    private synchronized KerberosTicket getTGT() {
        Set<KerberosTicket> tickets = subject
                .getPrivateCredentials(KerberosTicket.class);
        for (KerberosTicket ticket : tickets) {
            if (isTGSPrincipal(ticket.getServer())) {
                System.out.println("Found tgt " + ticket);
                return ticket;
            }
        }
        return null;
    }

    static boolean isTGSPrincipal(KerberosPrincipal principal) {
        if (principal == null)
            return false;
        if (principal.getName().equals("krbtgt/" + principal.getRealm() +
                "@" + principal.getRealm())) {
            return true;
        }
        return false;
    }
}
